[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes Aug 12 SSTC Conference Call
On Mon, Aug 11, 2008 at 9:50 PM, Hal Lockhart <hal.lockhart@oracle.com> wrote: > Proposed Agenda SSTC Conference Call > August 12, 2008, 12:00pm ET > > Dial in info: +1 215 446 3648 > Access code 270-9441# > > Roll Call & Agenda Review Anil Saldhana has formally applied for leave of absence from August 6th to August 27th. Brian Campbell will substitute for Anil today. Voting Members Present ---------------- George Fletcher AOL* Rob Philpott EMC Corporation Scott Cantor Internet2 Nathan Klingenstein Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo National Center for Supercomputing... Frederick Hirsch Nokia Corporation* Srinath Godavarthi Nortel Paul Madsen NTT Corporation* Hal Lockhart Oracle Corporation Brian Campbell Ping Identity Corporation* Eve Maler Sun Microsystems Emily Xu Sun Microsystems David Staggs Veterans Health Administration John Bradley Individual Members Present -------- Peter Davis NeuStar, Inc.* Kent Spaulding Tripod Technology Group, Inc. Duane DeCouteau Veterans Health Administration Brian Campbell > Need a volunteer to take minutes Tom Scavo volunteered to take minutes. > 1. Approve minutes from July 1, 2008 > http://lists.oasis-open.org/archives/security-services/200807/msg00029.html > > Approve minutes from July 15, 2008 > http://lists.oasis-open.org/archives/security-services/200807/msg00032.html Both sets of minutes unanimously approved as given. > 2. Document Status > > 2.1 Subject-based Profiles for SAML V1.1 Assertions: Public review ends Aug > 12 Public review ends today. No comments have been received thus far. > 2.2 Holder of Key Browser SSO Profile Draft-05 was posted > http://lists.oasis-open.org/archives/security-services/200808/msg00001.html This draft addresses recent comments made in the mailing list. Most significantly, a "Use of Metadata" section has been added. Basically, the draft proposes to overload the Binding attribute on the SingleSignOnService and AssertionConsumerService elements to indicate the desired profile. A future version will specify how to convey keying preferences in one or both of metadata and AuthnRequest. Comments re draft-05 have been submitted: http://lists.oasis-open.org/archives/security-services/200808/msg00013.html > 2.3 SAML2 Holder-of-Key Subject Confirmation Profile was posted > http://lists.oasis-open.org/archives/security-services/200808/msg00021.html Tom gives the following introduction to this profile: http://lists.oasis-open.org/archives/security-services/200808/msg00021.html Eve wonders if this is really an "Assertion Profile" (a term previously proposed by Jeff Hodges)? Nate wonders if metadata should be rolled into this profile. > 2.4 SAML V2.0 Metadata Interoperability Profile was posted > http://lists.oasis-open.org/archives/security-services/200808/msg00029.html This profile outlines a common set of considerations across deployments that leverage metadata. The experience gleaned from a number of solution providers gave rise to this profile, which allows greater scalability and interfederation. There is overlap with this profile and the Subject Confirmation Profile because of use of <ds:KeyInfo>. Hal asks if some of these concepts or profiles that have been submitted recently can be combined. It's probably best to do things once in one place. Scott notes that interoperability is limited by the use of <ds:KeyInfo>, which is the key element in this profile. In that sense, yes, it would be beneficial to derive a common set of requirements around the <ds:KeyInfo>. Eric reports that some interoperability experience regarding <ds:KeyInfo> might be forthcoming. > 3. Discussion Threads > > 3.1 NIST 800-63 draft doc refs related to assertions and Level 4 > http://lists.oasis-open.org/archives/security-services/200807/msg00031.html Eric provided the above summary. Bob posted a summary of a related discussion he had with Tim Polk (NIST): http://lists.oasis-open.org/archives/security-services/200808/msg00006.html Hal notes two issues: 1. NIST's definition of "assertion" needs some work 2. From Bob's comments, the Holder-of-Key Browser SSO Profile might be relevant (i.e., it may be used as a basis for redefining "assertion") What's the best way to proceed? Sounds like someone from SSTC needs to prepare some text to submit to NIST. Eric's text is a good start. Eric will write something up. Scott and/or Nate will provide technical assistance, if needed. > 3.2 Overloading Endpoints > http://lists.oasis-open.org/archives/security-services/200807/msg00033.html Scott notes the following issues: 1) how do we extend metadata, and 2) do overload endpoints or provide separate endpoints. Extensions are optional, so an entity that doesn't know about the extension will not be aware that an endpoint is overloaded (which may lead to problems). As an example of an overloaded endpoint, consider ordinary Browser SSO and Holder-of-Key Browser SSO. Such an endpoint works fine for an SP looking for a Holder-of-Key Browser SSO endpoint, but the same endpoint doesn't work so well for an SP looking for ordinary Browser SSO. This could lead to some difficulties, especially for the browser user. In general, a metadata profile shouldn't force deployers to run a new profile at an existing endpoint, but this should be allowed at least. There are three ways to extend metadata: 1) the Extensions element, 2) add an XML attribute to an existing endpoint (like Nate proposed in the Holder-of-Key Browser SSO Profile), or 3) define a new role (e.g., by extending an existing role or defining a new RoleDescriptorType). Hal suggested something more detailed could written in the wiki about extending metadata. > 3.3 Request for clarification regarding simple-sign spec > http://lists.oasis-open.org/archives/security-services/200807/msg00039.html Scott answered George's question but this didn't really solve his problem. The basic problem is the use of HTTP as a synchronous binding mechanism. If using SOAP, the issue of Destination doesn't come up. REMARK: A point-to-point HTTP binding might be useful if one wanted to avoid full XML signature. Hal suggests George should document this in a separate profile (i.e., the use of HTTP point-to-point binding in conjunction with SimpleSign). George may follow up on this, which is as easy as sending e-mail to the list. > 3.4 SLO behavior with MNI > http://lists.oasis-open.org/archives/security-services/200807/msg00041.html Scott replied to Ari's query, nobody disagreed. Ari is not on the call to comment further. Open question: Does Ari think errata is necessary? > 3.5 comments re draft-sstc-saml2-infocard-01 > http://lists.oasis-open.org/archives/security-services/200808/msg00003.html Scott very recently uploaded a new draft of this profile: http://lists.oasis-open.org/archives/security-services/200808/msg00022.html http://lists.oasis-open.org/archives/security-services/200808/msg00023.html http://lists.oasis-open.org/archives/security-services/200808/msg00024.html Please feel free to comment further on the mailing list. By the way, a new version of the Identity Selector Interoperability Profile has been released. This will have to be referenced ultimately in draft-sstc-saml2-infocard. > 3.6 Proposal made to WSFED TC involving SAML metadata > http://lists.oasis-open.org/archives/security-services/200808/msg00005.html Eve submitted this proposal and asks that people take a look at it. The WSFED TC may profile SAML metadata to use in WSFED. The proposal does not use all of the SAML metadata specification, but it is consistent. Scott described the three ways to extend metadata (above) to Don Schmidt (WSFED). They may define a new RoleDescriptorType with new EndpointTypes. Is this the best and/or easiest approach? This is still an open issue. Two issues have come up in the WSFED TC: 1) there is some messy text in the metadata specification that requires errata, 2) the WSFED TC wonders if the SAML TC is amenable to the emerging WSFED metadata profile. Hal asks that TC members look at this proposal. Don Schmidt (WSFED) may be invited to a subsequent SSTC call to discuss the proposal. Emily notes the WSFED TC is proposing a new attribute that identifies the relevant circle-of-trust (i.e., federation). > 3.7 comments re sstc-saml-holder-of-key-browser-sso-draft-05 > http://lists.oasis-open.org/archives/security-services/200808/msg00013.html Tom made some comments on the list: http://lists.oasis-open.org/archives/security-services/200808/msg00013.html Nate hasn't yet responded to these comments. All further comments should be sent to the mailing list. > 4. Other business David Staggs will submit a new version of the "Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML)". Hal suggests that David simply submit the profile to the mailing list (instead of initiating an action item) and then update the wiki. > 5. Action Items (port created 11 August 2008 09:47pm EDT) > > #0328: Revise SimpleSign > Owner: Jeff Hodges > Status: Open > Assigned: 2008-05-19 > Due: --- still open > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- still open (chairs will try to contact Sampo) > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- still open (chairs will try to contact Sampo) > #0334: SSTC home page cleanup after and linking to content from AI#335 > Owner: Brian Campbell > Status: Open > Assigned: 2008-05-28 > Due: --- still open > #0337: Organize Profile Intentions Wiki > Owner: Eve Maler > Status: Open > Assigned: 2008-07-08 > Due: 2008-07-15 closed > #0338: Circulate Infocard Profile for review > Owner: Eve Maler > Status: Open > Assigned: 2008-07-08 > Due: --- closed > #0340: Circulate Infocard Profile for review > Owner: John Bradley > Status: Open > Assigned: 2008-07-08 > Due: --- closed > Hal > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php The next SSTC concall is scheduled for 26 Aug 2008. Respectfully submitted, Tom Scavo NCSA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]